Windows Vulnerability Actively Exploited By Void Banshee
Written by Karolis Liucveikis on
A recently discovered and patched Windows vulnerability, CVE-2024-43461, has been seen used in the wild by the advanced persistent threat (APT) group Void Banshee. Microsoft describes the vulnerability as a "Windows MSHTML spoofing vulnerability" and first disclosed it to the public following September's Patch Tuesday.
Initially, the vulnerability had been marked as not previously exploited in the wild; however, this was changed following discoveries by Trend Micro security researcher Peter Girnus.
Girnus discovered that Void Banshee was actively exploiting the flaw to install info-stealing malware. Trend Micro, which was also the first to track Void Banshee attack campaigns, detailed these discoveries in a report.
The above-mentioned flaw was disclosed to Microsoft by Trend Micro and Check Point in July of this year. Both security firms disclosed that the zero-day vulnerability was being used to drop the Atlantida info-stealer. The discovery of the vulnerability has been attributed to Check Point researcher Haifei Li, with the security firm summarizing the vulnerability as follows,
Check Point Research recently discovered that threat actors have been using novel (or previously unknown) tricks to lure Windows users for remote code execution. Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the attacker-controlled URL. An additional trick on IE is used to hide the malicious .hta extension name. By opening the URL with IE instead of the modern and much more secure Chrome/Edge browser on Windows, the attacker gained significant advantages in exploiting the victim’s computer, although the computer is running the modern Windows 10/11 operating system.
While Microsoft retired Internet Explorer in 2022, Windows 10 and 11 users could not browse the Internet using IE. However, it is still packaged with Windows, and users are prompted if they are about to open something with an outdated browser.
That being said, by exploiting the above-mentioned vulnerability, when the victim opens the .url shortcut, which they think is simply opening a PDF, the attacker-controlled website is opened with IE rather than the typical Chrome/Edge. Check Point stated,
From there (the website being opened with IE), the attacker could do many bad things because IE is insecure and outdated. For example, if the attacker has an IE zero-day exploit – which is much easier to find compared to Chrome/Edge, the attacker could attack the victim to gain remote code execution immediately. However, in the samples we analyzed, the threat actors didn’t use any IE remote code execution exploit. Instead, they used another trick in IE – which is probably not publicly known previously – to the best of our knowledge – to trick the victim into gaining remote code execution.
The Check Point report goes into much greater detail regarding the flaw and how threat actors can exploit it. In speaking to Bleeping Computer, Girnus noted that Void Banshee also used the CVE-2024-43461 flaw to create a CWE-451 condition through HTA file names that included 26 encoded braille whitespace characters, namely "%E2%A0%80" to hide a malicious .hta extension.
When Windows opens this file, the braille whitespace characters push the HTA extension outside the user interface, prompting the end user to open the file. In a further attempt to trick the end user, the file name looks as if it is just a PDF file, with the .hta extension omitted.
Void Banshee and Atlantida
Void Banshee has been determined to be an APT group targeting North America, Europe, and Southeast Asia for information theft and financial gain. They exploit vulnerabilities like CVE-2024-38112 to deliver the Atlantida info-stealer through malicious PDFs disguised as book files.
The group uses internet shortcuts with MHTML protocol handlers to access and execute files through disabled Internet Explorer, posing a significant threat to organizations. Void Banshee's current TTPs include crafting URL strings to control Internet Explorer (IE) window sizes and using HTML files to hide malicious downloads from victims.
Regarding the Atlantida info-stealer, Trend Micro states,
...Atlantida stealer, an info-stealer malware with extensive capabilities. Overall, the malware is built from open-source stealers NecroStealer and PredatorTheStealer, incorporating many of the same functions and structures found in these programs. It targets sensitive information from various applications, including Telegram, Steam, FileZilla, various cryptocurrency wallets, and web browsers. This malware focuses on extracting stored sensitive and potentially valuable data, such as passwords and cookies, and it can also collect files with specific extensions from the infected system's desktop.
The info-stealer has several other features, including capturing the victim's screen and gathering comprehensive system information. The stolen data is compressed into a ZIP file and transmitted to the attacker via TCP.
In conclusion, Trend Micro researchers stated that threat actors can exploit disabled services such as Internet Explorer (IE), which poses a significant threat to organizations worldwide. These services have a large attack surface and no longer receive patches, presenting a serious security concern to Windows users.
Further, the ability of threat actors to access unsupported and disabled system services to circumvent modern web sandboxes, such as IE mode for Microsoft Edge, highlights a significant industry concern.
▼ Show Discussion